AdminSysGNULinux

Outils pour utilisateurs

Outils du site

Piste : blog
blog

Table des matières

1 billet(s) pour avril 2026

Notes ping ICMP2026/04/03 23:01Jean-Baptiste

Notes sur le protocole ARP

Voir aussi :

  • arp-scan
  • arptables
  • ebtables
  • ip neigh

/etc/rc.local 

#!/bin/sh -e
arp -f /etc/ethers
 
exit 0

/etc/ethers 

20:aa:4b:22:8B:4f	192.168.2.1
00:20:ed:5d:73:0b	192.168.2.100

Afficher la table ARP 

arp -an
ip n

(ndp -a pour IPv6 ?) 

cat /proc/net/arp

Autre moyen d'éviter une attaque MITM à son encontre par corruption du cache ARP. 

arp -s "$gatewayIp" "$gatewayMac"

Vider le cache ARP 

#ip neighbor flush dev bond0
ip -s -s neigh flush all

Effacer une entrée avec la commande arp 

arp -d 192.168.1.1

Générer une adresse mac 

printf 'DE:AD:BE:EF:%02X:%02X\n' $((RANDOM%256)) $((RANDOM%256))

52:54:00

Exemple de pb

# arping -I p1p2 -c 1 215.219.132.12
ARPING 215.219.132.12 from 215.219.132.91 p1p2
Unicast reply from 215.219.132.12 [4C:D9:8F:9A:06:74]  0.766ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
# ping -I p1p2 215.219.132.12
PING 215.219.132.12 (215.219.132.12) from 215.219.132.91 p1p2: 56(84) bytes of data.
# ip neigh | egrep 215.219.132.12
215.219.132.12 dev p1p2  FAILED

Clearing cache with ip 

# ip -s -s n flush all
215.219.132.12 dev p1p2  used 13/75/12 probes 6 FAILED
172.19.1.254 dev nm-bond lladdr d0:d0:fd:8d:a4:43 ref 1 used 45/0/45 probes 4 REACHABLE

*** Round 1, deleting 2 entries ***
*** Flush is complete after 1 round ***
# ping -I p1p2 215.219.132.12
PING 215.219.132.12 (215.219.132.12) from 215.219.132.91 p1p2: 56(84) bytes of data.
^C
--- 215.219.132.12 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

# ip n
215.219.132.12 dev p1p2  INCOMPLETE
172.19.1.254 dev nm-bond lladdr d0:d0:fd:8d:a4:43 REACHABLE

# ip n
215.219.132.12 dev p1p2  FAILED
172.19.1.254 dev nm-bond lladdr d0:d0:fd:8d:a4:43 REACHABLE

Pb doublon d'adresse IP

Erreur, un autre hôte utilise déjà l'adresse 192.168.1.20

Mais rien n'y fait : 

iptables -I INPUT -i eth0
iptables -I FORWARD -i eth0
#iptables -I FORWARD -o eth0
iptables -I OUTPUT -o eth0
 
ip route del blackhole 192.168.1.20

Il s'agit d'une erreur réel. Sur une VM de test je dois tester une procédure mais sur toutes les interfaces réseaux possible de l'hyperviseur mon adresse est déjà prise.

Il est rare que l'on veux forcer ou ignorer un doublon d'adresse IP. Mais dans mon cas je suis sur un environement de laboratoire, et il est compliqué pour moi de changer d'adresse IP.

Solution : 

ip link set arp off dev eth0

Voir aussi 

echo 1 > /proc/sys/net/ipv4/conf/all/hidden

Autre solution :

  • Suprimer eth0 (mais comment ?)
  • le recréer avec la commande ip et faire un bgrige ou autre sur lo
2025/03/24 15:06
,

Notes ARM SoC

Voir :

Systèmes

  • Armbian
  • DietPi

Boot

Voir : 

sudo nand-sata-install.sh

FIXME

2025/03/24 15:06

Notes ArangoDB

$ docker run -p 8529:8529 -e ARANGO_ROOT_PASSWORD=P@ssw0rd arangodb/arangodb:latest
Unable to find image 'arangodb/arangodb:latest' locally
latest: Pulling from arangodb/arangodb
Digest: sha256:38406ec046ac1f649c99c600a9f07d67e26e3dc06cf78bab7c89712c2d857ebf
Status: Downloaded newer image for arangodb/arangodb:latest
Initializing root user...Hang on...
Illegal instruction (core dumped)

The processor(s) must support the SSE 4.2 and AVX instruction sets (Intel Sandy Bridge or better, AMD Bulldozer or better, etc.)

2025/03/24 15:06

Notes AppArmor

Voir :

The nscd Apparmor profile is not prepared for that and needs some additional capabilities added.

Necessary changes are:

/etc/nscd.conf
        server-user             nobody
/etc/apparmor.d/usr.sbin.nscd
          capability setgid,
          capability setuid,

After adding these lines, restart Apparmor and subsequently nscd

source : https://www.suse.com/fr-fr/support/kb/doc/?id=000017971

K3S rootless

cat <<EOF | sudo tee "/etc/apparmor.d/usr.local.bin.k3s"
abi <abi/4.0>,
include <tunables/global>
 
/usr/local/bin/k3s flags=(unconfined) {
  userns,
 
  include if exists <local/usr.local.bin.k3s>
}
EOF
 
sudo systemctl restart apparmor.service

Source : https://docs.k3s.io/advanced

2025/03/24 15:06
,

Notes apache

Version
apachectl -v
 
Server MPM Mode
apachectl -V
 
Loaded Modules
apachectl -M
 
Compiled in modules
apachectl -l
 
Test Syntax
apachectl -t
 
Liste des vhosts
apache2ctl -S

Contexte variable environnent Apache. 

grep -Pa -o 'TNS_ADMIN=[^\x00]*\x00' /proc/$(pgrep -o apache)/environ |sed -e 's/[^[:print:]]//g'

Rewrite

Exemple de conf 

RewriteCond %{HTTP_HOST} =plop.acme.fr [NC,OR]
RewriteCond %{HTTP_HOST} =www.plop.acme.fr [NC]
RewriteRule .* https://acme.fr/plop [L,R=301]
 
 
### GARBAGE COLLECTOR ###
RewriteRule .* https://r.acme.fr/error_unavailable [L]

Perf

Voir :

Mem par process 

ps -ylC httpd --sort:rss

check allow and deny rules

2.2 configuration: 

Order allow,deny
Allow from all

2.4 configuration: 

Require all granted
# Require all denied

Hardening Apache

Liens :

Ignorer dans les logs File does not exist: /var/www/favicon.ico

/etc/apache2/conf.d/nofavicon.conf 

Redirect 404 /favicon.ico
<Location /favicon.ico>
ErrorDocument 404 "No favicon"
</Location>

Source : https://www.alouit-multimedia.com/02-assistance-informatique/tutoriaux/apache-en-finir-avec-les-erreurs-error-file-does-not-exist-favicon-ico/

Pb

Erreur FastCGI: comm with server - FastCGI: incomplete headers
2017-06-16T10:58:25.485 PCWEB1 err apache2[3253]: [fastcgi:error] [pid 3253:tid 140133122676480] [client 192.168.115.153:62059] FastCGI: comm with server "/PhpFpmVirtuel" aborted: idle timeout (30 sec)
2017-06-16T10:58:25.485 PCWEB1 err apache2[3253]: [fastcgi:error] [pid 3253:tid 140133122676480] [client 192.168.115.153:62059] FastCGI: incomplete headers (0 bytes) received from server "/PhpFpmVirtuel"

Si on n'y regarde de plus prêt, on voit dans le access.log, avant l'erreur : 

2017-06-16T10:58:25.485 PCWEB1 debug access[3234]: 192.168.115.153 10:57:55.456 duration=30028931 (us) rec=893 (bytes) "POST /site/plop.php HTTP/1.1" 500 sent=763 (bytes)

Le pb vient que le script PHP /site/plop.php tombe en timeout : On constate que si la durée est inférieur à 30 secondes, c'est OK ⇒ ( 200 ). Si plus de 30s ⇒ erreur ( 500 ) 

grep plop.php /var/log/apache/access.log | sed -e 's/^.*duration=//' |sort -n |tail
 14777626 (us) rec=895 (bytes) "POST /site/plop.php HTTP/1.1" 200 sent=240 (bytes)
 15397927 (us) rec=892 (bytes) "POST /site/plop.php HTTP/1.1" 200 sent=240 (bytes)
 15993455 (us) rec=895 (bytes) "POST /site/plop.php HTTP/1.1" 200 sent=240 (bytes)
 17382090 (us) rec=892 (bytes) "POST /site/plop.php HTTP/1.1" 200 sent=240 (bytes)
 17850899 (us) rec=893 (bytes) "POST /site/plop.php HTTP/1.1" 200 sent=240 (bytes)
 30026574 (us) rec=898 (bytes) "POST /site/plop.php HTTP/1.1" 500 sent=763 (bytes)
 30027079 (us) rec=892 (bytes) "POST /site/plop.php HTTP/1.1" 500 sent=763 (bytes)
 30028931 (us) rec=893 (bytes) "POST /site/plop.php HTTP/1.1" 500 sent=763 (bytes)
 30029299 (us) rec=895 (bytes) "POST /site/plop.php HTTP/1.1" 500 sent=763 (bytes)
 30029900 (us) rec=898 (bytes) "POST /site/plop.php HTTP/1.1" 500 sent=763 (bytes)
[warn] _default_ VirtualHost overlap on port 443, the first has precedence
# apachectl -t
[Mon Sep 14 14:31:10 2020] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
Solution

Ajouter NameVirtualHost *:443

/etc/apache2/ports.conf 

<IfModule mod_ssl.c>
    NameVirtualHost *:443
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>
2025/03/24 15:06
,

<< Billets récents | Anciens billets >>

blog.txt · Dernière modification : de 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki